Thread Info
  • State Not Answered
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 1675 views
  • Users 0 members are here
Options
Suggested

[7.080] ACC SSO works too well [CONFIRMED]

gkemter
Funny Thing:

for testing i remove my asg-beta from acc, and disable/enable central managment on asg.
Than i check on acc if the asg rejoinded, so far ok.
So i try to up2date ASG thru ACC (ACC->Device Managment->Check ASG-> Up2Date), so far ok, no new updates [:)]

Switchig back to dashboard i noticed that user name changed from admin to CM__Admin ???
So i try to Log Off from ASG, but after Log Off Webmin relogs in, without asking for User/Pass.
So i close Firefox and start IE , after accepting cert, i was succsefull authentificated (No User/Pass question)
I Try this from differnet PC, but allways same result: no ask for user/pass, after accept cert and caching object, the browser goes to dashboard. Log Off result in Logoff and immediatly Logon.

After reboot asg and acc, disabling Central managment, still same procedure,
i`am loged in with CM__admin. 

here the log from user auth daemon: 

2007:11:21-14:52:43 (none) aua[28610]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-20:07:09 (none) aua[13533]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-20:50:14 (none) aua[15845]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-21:27:46 (none) aua[17683]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-22:04:40 (none) aua[20848]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:16:55 (none) aua[21444]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:31:23 (none) aua[22370]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:31:36 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:32:26 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:36:05 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:36:14 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:36:32 (none) aua[22717]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:37:44 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.24" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:37:55 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.24" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:38:37 (none) aua[2823]: id="3006" severity="info" sys="System" sub="auth" name="TERM signal received, shutting down daemon"

2007:11:21-22:40:02 (none) aua[2826]: id="3001" severity="info" sys="System" sub="auth" name="Daemon started successfully"

2007:11:21-22:42:50 (none) aua[6053]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:44:54 (none) aua[2826]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:46:34 (none) aua[2826]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:48:11 (none) aua[6645]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:50:24 (none) aua[2826]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-23:00:57 (none) aua[7473]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-23:08:21 (none) aua[8284]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-23:18:29 (none) aua[9364]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"


Maybe i should try to delete CM__Admin ?

Gregor Kemter

Edit: If somebody tell me how to break this "autologin" loop, maybe i can reproduce this [;)]
Edit2: I am happy that i limit access to ASG to my internal net only, if not the thing would be not funny
Parents
  • 0
    after i went home, the "autologin" feature dont let me sleep, so i drive back to office, and try factory reset.
    But after factory reset, the webmin stll try to login with CM__admin [:O]
    , so i decide to make fresh install from cd .
    Unfortunle my latest Sai-Iso was 7.006, but after feeding all  the up2date files und config.backup the asg runs now.

    Gregor Kemter
  • 0 in reply to gkemter
    Hi Gregor!

    Finally WebAdmin SSO seems to work ... *um* a little bit too well ...

    ACC will create a user CM__admin on ASG V7 only if you press the WebAdmin button in ACC (from a monitoring view or registration). Then the auto-login to WebAdmin is performed. The user creation and auto-login will not happen if you just check for Up2Dates as you have described.

    Anyway, there is an issue with credentials not properly invalidated after SSO, so you are stuck in this auto-login / never-logout forever-loop. It is fixed in the upcoming 7.085 beta.

    As we knew of this beforehand Tom must decide if you still get any points - I mean you had the shock and the sleepless night ... Sorry for that.

    As for breaking the auto-login loop, you can try the following:

    # unlink /var/sec/chroot-httpd/var/webadmin/var/acc_credentials.ph

    Cheers and thanks,
    Henning
  • 0 in reply to megaposer
    Hi Henning


    The user creation and auto-login will not happen if you just check for Up2Dates as you have described.


    I think i also try to start webmin thru ACC, but the webmin dont come up directly, so i close this new browser tab.
    Maybe this was the issue

    Gregor Kemter
  • 0 in reply to gkemter
    Still broken in 7.091... that is, the un-ending automatic login loop after an ACC SSO Sign-On.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    hehe, i was to lazy to try it again [:D]
    One sleepless night with autologin was  enough for me

    Gregor Kemter
  • 0 in reply to gkemter
    It's a little different (at least in my setup) than what you experienced.  WHen I attempt to connect via ACC, it starts to go, then I get a connection timed out (which is not a problem if I try to connect directly, from the same workstation)... I rebooted the unit using SSH, then I then attempt a login (directly to the unit, no ACC involved) using a TOTALLY DIFFERENT computer, and instead of getting a prompt for login, it jumps right to the dashboard using a CM_username account, the one that would have been used if my ACC login had worked properly.... seems maybe they've almost got it fixed.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Anyone else able to reproduce this? It seems like a somewhat serious security issue...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply Children
No Data
Unfiltered HTML